Our blog

Can a data breach be a good thing?

Big security breaches gain headlines, but organisations often fail to learn from them. Here’s how our apprentices help us avoid a car crash for cyber security.

Failing to learn the right lessons.

Rubbernecking; we’ve all been there. Driving along the motorway, and suddenly the traffic grinds to a halt for no apparent reason. Crawling along, you try not to make eye contact with fellow motorists as you absent-mindedly sing along to Bohemian Rhapsody on the radio.

Three miles of near-stationary traffic later, you find that the cause of the holdup is a minor shunt that’s almost devoid of the need for insurance intervention. But three lanes of motorists have to slow down and stare at someone else’s misfortune.

Do we ever learn anything from the accidents we observe on the hard shoulder? Or do we just use the incident as entertainment to break up an otherwise monotonous journey?

The emergency services certainly use the aftermath of accidents to teach us about the dangers of things like using mobile phones when driving, or speeding. But that takes someone else to give us input. Usually, we just slow down, stare and carry on with our journey.

Speeding towards a cyber crash.

So, what on Earth does this have to do with Cyber Security? More than you’d think, actually.

Cyber security is blessed with the curse of popular prominence. For loads of reasons, we can all relate to significant breaches — because of the industries we work in, the companies we buy from and the services we use.

When automotive hacking received media coverage, and a certain manufacturer’s car was on our driveway, we took a sharp intake of breath…and carried on as normal.

Creating a pile-up of problems.

Some of us — those people among us engaged in gathering cyber intelligence and defending our companies from attack — know intrinsically what caused these attacks. And, therefore, we’re well placed to defend our organisations against the vulnerabilities that were exploited.

But, can you put your hand on your heart and say that your personal security behaviour has changed as a result of the popular prominence of cyber security breaches and attacks that we see and read about in the news?

Are we leaving it up to the professionals (the emergency services, if we go back to my traffic collision analogy) to do something to prevent it happening to us? Are we expecting them to tell us what to do? Do we actually do anything when they tell us?

Speeding is dangerous. It causes accidents and road casualties. The emergency services tell us about this all the time. It’s something we all know. So, hands up those people who haven’t gone over the speed limit in the last twelve months. No one. Who’d have thought?

The potential of popular prominence.

If breaches didn’t happen, or they didn’t become prominent in media, would we become even more complacent about our personal cyber security practices? Would we neglect our personal skills development that’s important to us keeping up-to-date with current threats in order for us to do our jobs well? We might.

So does that mean that breaches are a good thing, because they keep us on our toes? Or is the popular prominence of breaches good, because it keeps us aware of what’s happening in the big bad world of cyber? Discuss.

Learning from the apprentices.

This whole topic shows the importance of apprenticeships, and the learning opportunities they provide.

BT’s apprentices constantly inspire me with their thirst of knowledge, their lack of complacency and their innovative approach to problems. They’ll grasp the most tentative of threads and learn from it, and will constantly turn experiences — no matter how small — into learning.

A couple of our apprentices recently talked about this on Radio 4 and Radio 5 Live after the government announced the availability of funds to teach cyber security in UK school classrooms (popular prominence in action) in a positive way.

Of course, popular prominence will only be effective if we use it in this positive way. Rubbernecking will never actually teach us anything, unless we learn lessons from what we see.